How does Logstash determine that a field matches a string regularly？

wentao_Xiong · July 26, 2022, 2:45am

I am a newcomer to ELK, and now I encounter a problem as shown in the title: How does Logstash determine that a field matches a string regularly?
such as whether the [path] field contains the "err" string? (the path field means the filename such as "/var/log/game_err.log")
Is this how it is configured in logstash.conf?

Sincerely hope to get an answer, thank you!

sudhagar_ramesh · July 26, 2022, 2:59am

Hello @wentao_Xiong

You are trying to get the file path if that is the case then use filebeat. To get the substring from the filename "err" then use grok pattern.

input
{
<Your-filebeats-configuration>
}

filter
{
grok
{
match => 
{
"message" => '/%{GREEDYDATA:path}/%{GREEDYDATA:filename}'
}
}

}
output
{
if [filename] == "game_err"
{
stdout{codec => jsondebug}
}
}

wentao_Xiong · July 26, 2022, 4:24am

Hello~ @sudhagar_ramesh
Thanks a lot for your answer! I would like to elaborate on my situation:

The data I collect has the format of "/var/log/game_err.log" or "/xx/xx/xx_errxx.log" in the field [path] value, I need to judge whether the field [path] contains Some string "err"?

My logstash.conf is

input {
  beats {
    port => 5044
  }
}

filter {
  if [path] in "err" {
    mutate {
      add_field => {
        "log_type" => "err"
      }
    }
  }
  if [path] in "oss" {
    mutate {
      add_field => {
        "log_type" => "oss"
      }
    }
  }
}

output {
  if [log_type] == "err" {
    elasticsearch {
      hosts => ["http://******:9200"]
      index => "log-err-%{+YYYY.MM.dd}"
      user => "****"
      password => "****"
    }
  }else if [log_type] == "oss" {
    redis {
      host => "******"
      password => "****"
      port => 6379
      data_type => list
      db => 0
      key => "log-oss"
    }
  }
}

Why if [path] in "err" doesn't work?

Thanks again and looking forward to your reply!

wentao_Xiong · July 26, 2022, 9:16am

I solved this problem，thanks ！

input {
  beats {
    port => 5044
  }
}

filter {
  if [log][file][path] =~ /err/ {
    mutate {
      add_field => {
        "log_type" => "err"
      }
    }
  }
  if [log][file][path] =~ /oss/ {
    mutate {
      add_field => {
        "log_type" => "oss"
      }
    }
  }
}

output {
  if [log_type] == "err" {
    elasticsearch {
      hosts => ["http://xxxxx:9200"]
      index => "log-err-%{+YYYY.MM.dd}"
      user => "xxxxxxxxx"
      password => "xxxx"
    }
  }else if [log_type] == "oss" {
    redis {
      host => "xxxxxxxx"
      password => "xxxx"
      port => 6379
      data_type => list
      db => 0
      key => "log-oss"
    }
  }

  stdout { codec => rubydebug }
}

system · August 23, 2022, 9:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
If path containing some string then field value is "somthing" Logstash	5	4473	July 9, 2019
Check if string is in field Logstash	10	6644	May 5, 2021
How can I check if the log file path contains a certain string in the logstash configuration using regex? Logstash	4	2861	April 28, 2020
Condition on filename in the path Logstash	3	2737	June 21, 2019
Pattern matching in Logstash Logstash	5	685	September 4, 2017

How does Logstash determine that a field matches a string regularly？

Related topics